Asia Information Security Community Blog – Risk & Cybersecurity

Browser based website security control

Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.

There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:

Content Security Policy (CSP)

HTTP Strict Transport Security

Frame Options

These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.

The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.

To test if your browser supports Content Security Policy, we could to go Internet Storm Centre. If you only see one Javascript popup, your browser supports CSP. Recently, a security firm Recx Ltd created a Chrome extension that analyse web pages security features. It check the HTTP-headers and cookie settings against best practices, then shows the result in a simple and directly way. I installed it on Chrome and used it to test on some websites. The first is HKCERT, where a few of my friends are working there. I am sure they do not mind to demonstrate web security implementations.

Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).